4 INTRODUCTION The Health Insurance Portability and Accountability Act ( HIPAA ) has the following general objectives: Guarantee health insurance coverage of employees. Reduce health care fraud and abuse. Introduce/implement administrative simplification to increase effectiveness and efficiency of the health care system. Protect the health information of individuals against unauthorized access. This last objective is where XYPRO products will bring the most benefits to customers striving to comply with HIPAA regulations within their HP NonStop Server enterprises. This paper is intended for general informational purposes and does not contain exact definitions or guidelines on compliance. Indeed, the scalability factor -- single doctor s office versus large corporate health provider -- and the fact that risk assessment and mitigation are moving targets makes any generic checklist unfeasible. This paper does list some of the major parts of the security standards set forth in HIPAA regulations and points to the XYPRO products that can provide a company with the technological tools to implement the policies and procedures needed to achieve compliance. Product tables toward the end of this document describe each XYPRO product cross-referenced to the standards it can be used to meet. Excerpts from the HIPPA regulations are provided in Exhibit A. DEFINITIONS & PRINCIPALS Covered Entities (CEs) are defined by HIPAA as health plans, health care clearinghouses, and health care providers who maintain or transmit identifiable health information in any form, oral, written, or electronic. This information is referred to as Protected Health Information (PHI). In HIPPA defines a series of measures that CEs must take to protect such information. Many sections of these measures involve areas that must be implemented by management, such as creation, implementation, review, and revision of written policies and procedures. XYPRO s XYGATE products are the tools that allow IT departments to achieve compliance with such policies as well as provide reporting to illustrate that compliance goals are being met. HIPAA is scalable. Each CE needs to meet the specific needs and feasibility of each facility. A single doctor s office may be able to address HIPAA with a much smaller plan and much less automation than the large corporate medical provider might need. Risk assessment and mitigation are not static entities. HIPAA stresses that risk assessment and mitigation planning must be continuous processes and are to be reviewed often. New plans must be developed and implemented based on current and new threats as well as new technologies in today s fast moving world of electronic business. Page 1

5 HIPAA specifically states that patient care cannot be interrupted or its quality affected in a negative way. This legislation points out that the most important objective of CEs is to take care of their patients. HIPAA can reach outside CEs. Application Service Providers (ASPs) are 3rd party providers operating information systems located remotely but hosting data of the hospital and its patients. Outreach, vendor remote and other 3rd parties servicing hospital equipment are also examples of entities to whom HIPAA regulations may apply. REQUIREMENTS & NONSTOP SERVER ENTERPRISES Part 164, Security and Privacy of HIPAA most directly relates to Information Technology (IT). Sections Administrative Safeguards and Technical Safeguards relate directly to needs that XYGATE products can satisfy. These sections contain standards and their corresponding implementation specifications. Implementation specifications are classified (R), REQUIRED or (A), ADDRESSABLE. If a standard is ADDRESSABLE, then CEs may use some discretion as to whether each implementation specification is a reasonable and appropriate safeguard in its environment or an equivalent alternative measure is reasonable and appropriate. What follows is a list of selected standards and how XYGATE products can help CEs achieve compliance: Administrative Safeguards STANDARD (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities appropriate to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. REQUIRED - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (See Appendix A.) XYPRO Solutions The two preceding specifications show the need for HP NonStop Server Security: A Practical Handbook. Authored by XYPRO and published by HP, this is the definitive reference for using native NonStop security products like Guardian and Safeguard. It provides practical guidance about administration, authorization, authentication, auditing and Best Practices. The XYGATE Security Compliance Wizard ( /SW ) can be used to compare the Best Practices documented in the handbook to a NonStop server environment, producing a Page 2

6 comprehensive report that documents where a particular system complies and where it differs. Justification for variances can be annotated for tracking purposes and included in audit reports. XYGATE /SW is a Windows-based wizard that makes it possible to develop security policy and monitor compliance for an entire NonStop server enterprise from authorized desktop PC/s. REQUIRED - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) REQUIRED Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. XYPRO Solutions XYGATE Merged Audit ( /MA ) software lets authorized users create reports with timely mixes of information from Safeguard, Measure as well as all of the other XYGATE security products. Data is collected from multiple audit data sources and multiple NonStop servers, then combined to produce a single reporting repository for a total audit picture. For routine audit reports, XYGATE /MA can be set to screen out data that is always present and irrelevant - permitted logons, for example. The customizable filters catch information that isn't desired and allow it to be excluded from the audit files. For audit information too critical to wait for the next audit reports cycle, XYGATE /MA supports automatic alerts, sending messages to an EMS process, third-party IP monitor, and specified addresses (perhaps for forwarding to devices able to receive text messages, i.e., support staff mobile phones). All audit data is loaded into a single SQL database on the system where XYGATE /MA is headquartered. Centralization of data is fundamental to the combined system reporting available. It also simplifies custom report generation and off-the-cuff queries using SQLCI or any PC-based SQL product that can retrieve data from a host system. Along with customized report generation, this product includes a set of standard reports for such popular topics as Alerts Issued, Logons, Failed Logons, Subject User vs. Target User and SUPER.SUPER usage. STANDARD (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Security Reminders. Implement periodic security updates. Page 3

7 ADDRESSABLE Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. ADDRESSABLE Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. ADDRESSABLE Password Management. Implement procedures for creating, changing, and safeguarding passwords. XYPRO Solutions The XYGATE suite includes Access Control (for Guardian and OSS), Process Control, CMON, and Spoolcom/Peruse/Archive tools. Together these products provide the core of a well-secured NonStop system including: Individual accountability, restricting each user to a list of authorized actions based on that user s job functions Comprehensive auditing with flexible reporting A $CMON process that administers logon to logoff session controls and load balancing Protection of SPOOLER reports, enhanced by eliminating the need for a SUPER group id to access print jobs and adding the ability to limit and audit user actions by command, subcommand, supervisor, collector, object, and subject (user). To extend core security, XYGATE includes tools specific to implementing more of the ADDRESSABLE issues above, with controls and reporting that are both highly granular and flexible. XYGATE Password Quality ( /PQ ) makes it possible to set rules to govern password characteristics with more granularity than native NonStop security or Safeguard. XYGATE /PQ then enforces those rules, standardizing and strengthening passwords for the NonStop server support staff across all nodes. And all this can be done from XYGATE s Windows based GUI running on authorized workstation PCs. XYGATE User Authentication further enhances logon security by providing granular, efficient logon controls, while eliminating the need for privileged logons such as SUPER.SUPER ids. Pre-production testing of logon rules, early detection of intrusion attempts, logons to sensitive userids, and two-factor authentication are all standard features of this product. XYGATE Safeguard Manager is a graphical interface enabling authorized users to configure and control Safeguard global settings, users, aliases and object Access Control Lists (ACLs) from their workstation PCs. Configuration updates can be propagated to a single node, some nodes, or all nodes in a NonStop network. Remote password maintenance updates can be applied to a single user, hundreds, or thousands. Flexible grids make it easy to sort data and then drill down for details. XYGATE Dynamic Object Security ( /OS ) enables creation and implementation of rules for dynamic, pattern oriented ACL administration containing Regular Expressions. Rules can be based on many characteristics including object name, Safeguard alias, and Page 4

8 userid. In addition, XYGATE /OS rules make it possible to govern the use of operational privileges not only for Read, Write, Execute, and Purge -- but for Rename, License, and the entire operations set supported by NonStop Servers Technical Safeguards STANDARD (a)(1) Access Control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. REQUIRED Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ADDRESSABLE Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ADDRESSABLE Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information. XYPRO Solutions XYGATE is a single solution set to efficiently meet HIPAA Access Control Standards in a variety of ways. XYGATE Access Control ( /AC ) allows the functional properties of one Guardian userid to be allocated and controlled for other userids, eliminating the need for direct use or sharing of privileged userids such as SUPER.SUPER. This tool not only includes controls over what programs a user is allowed to run, but also enables command level security for the programs that the user is allowed to run. All users are able to perform their regular job functions as well as have emergency access capabilities using their own unique userid in an audited environment. XYGATE /AC commands also have the capability to request user password upon entry to a privileged command and/or after a timeout period of inactivity. XYGATE CMON forces users to logon to a personal userid before logging on to SUPER.SUPER or other power userids. Additional capabilities enable security administrators to restrict users/programs to specific ports/ip addresses, audit all user logons/logoffs and enforce automatic logoffs. Page 5

9 XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.). XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Examples include: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as crypto key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. STANDARD (b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. IMPLEMENTATIONS: REQUIRED REQUIRED - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. XYPRO Solutions XYGATE Safeguard Reports ( /SR ) streamlines security audit reporting for NonStop server environments and enables reporting for Safeguard activities with flexibility and ease. XYGATE /SR provides a full range of pre-formatted reports, plus the ability to alter the content to meet your exact needs. XYGATE /SR is a stand-alone product, but can be combined with other XYGATE products to even further ease the effort of security audit reporting. XYGATE Merged Audit ( /MA ) supplies automated and comprehensive auditing that can be combined to produce a single report providing a total picture in a timely and convenient manner. XYGATE /MA provides centralized reporting for all security related audit logs (Safeguard, XYGATE, EMS, Measure). It facilitates the use of host- or PCbased standard tools for reports e.g. MS Access, Excel, ODBC, Crystal Reports. This product also provides automatic alerting for security events like more than 5 failed logons in 2 minutes, SUPER.SUPER logons at certain time of day, invalid file access, Page 6

10 etc. Alerts can be via EMS event, message to an IP address, custom ( via user written TACL macro ) or ( perhaps for forwarding to devices able to receive text messages, i.e. support staff cell phones ). STANDARD (c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. STANDARD (d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. XYPRO Solutions Long before HIPAA requirements, XYGATE has been protecting integrity and authentication as it secures against unauthorized access or alteration of protected information from internal users and external intruders. XYGATE Access Control and Process Control sit between user terminals and the utility/application programs that users need in order to perform their assigned duties. Access Control Lists (ACLs) define who can have access to which privileges, in which programs, from which terminals and at what level of functionality. XYGATE User Authentication ( /UA ) brings industry-best user authentication capabilities to NonStop server environments. Like many other XYPRO products, XYGATE /UA expands upon security functions native to NonStop systems, providing customer requested enhancements like multi-factor authentication, sophisticated logon error management options and logon-specific audit reporting. XYGATE Password Quality ( /PQ ) lets you set rules to govern password characteristics. Minimum number of upper/lower case letters and numbers, control characters, special characters, repeating characters and excluded characters are among the options provided. Also included are NonStop Network-wide password updates. When a user changes a password on one system, XYGATE /PQ encrypts and propagates the changes across all systems for which the userid/alias has a valid network connection. System generated passwords and password splitting can be enabled. Automatic password Page 7

12 XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. CONCLUSIONS The effort of any one company to become HIPAA compliant will depend on many factors. The size of a company, the management philosophy, and the current state of security policies and procedures are very important considerations in starting such an effort. But if an environment includes NonStop Servers, the XYGATE suite of security tools will ease the transition into a secure environment that HIPAA compliance will require. Regulations like HIPAA bring more pressure on IT management to incorporate products like XYPRO s to bring systems into a best practice mode, which is just not possible with the native GUARDIAN security environment. The continued protection of company assets like NonStop Servers and the data they contain, as well as satisfying the demands of auditors, make the use of security enhancing products like XYGATE increasingly valuable. DISCLAIMER XYPRO has designed this document primarily as educational. Readers should note that this document has not received endorsement from any standard-setting body. Issues discussed in this paper will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. XYPRO makes no representation or warranties and provides no assurances that an organization s use of this document or XYGATE products will result in full compliance with the requirements of the act. Internal controls whether automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving security control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human factors such as errors or inappropriate override of internal controls. Page 9

13 PRODUCT TABLE XYGATE products are available in convenient packages or individually, as listed in the following table. Product Description HIPAA Standards NonStop Server Platform Security Solutions XYGATE /AC Access Control XYGATE /CM (Fully Supported) CMON XYGATE /MA Merged Audit XYGATE /OS Dynamic Object Security Enables administrators to grant privileges to NonStop staff according to job function. XYGATE /AC extends native NonStop security into the area of actions, where security is based on what a user does, providing keystroke auditing of sessions initiated in both Guardian and OSS environments. Facilitates your security and access control needs, as well as system performance needs. This fully supported $CMON process supplies auditing of prelogon Guardian userids or aliases, terminal device logon restrictions, double-logon to sensitive userids and parameter customization by userid. Port entries in the CMACL file control access based on TCP/IP address as well as ASYNC/LAN address. XYGATE /CM permits complete end-to-end program execution audits, placement and use of resources specified by user, requesting program, and other criteria. It gives you the ability to make virtually all processes follow $CMON directives on CPU use and priority. Integrates many audit trails across multiple NonStop nodes into a single source for audit information. Pre-formatted reports provide the most commonly requested data and you can create custom reports with timely mixes of information from Safeguard, Measure, EMS and all XYGATE security products. XYGATE /MA also supports automatic alerts, sending messages to a designated EMS process, third-party IP monitor or any addresses you choose. Brings to HP NonStop servers a dynamic, patternoriented method of Access Control List security for objects. Rules based on many characteristics including object name, Safeguard alias and userid extend the ability to govern the use of operational privileges beyond the Read, Write, Execute and Purge, to include Rename, License, PROGID and the entire operations set supported by NonStop servers (a)(1) Access Control (c) -- Integrity (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication Security Standards: General Rules (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) -- Integrity Page 10

14 Product Description HIPAA Standards XYGATE /PQ Password Quality XYGATE /PC Process Control XYGATE /SM XYGATE /SR XYGATE /SP Safeguard Manager Safeguard Reports Spooler Manager, Peruse & Archive Easily sets and enforces rules to govern password characteristics, systematically standardizing and strengthening passwords for NonStop server support staff. Rules can be pre-specified for any combination of eight different quality characteristics. Alternately a random system generated password can be applied. Updating network passwords across all nodes, automatic expiration at initial logon, password splitting, and warning mode operation are some of the other standard features. Implements the same type of assignable privileges to control the running of processes as XYGATE /AC supplies for interacting with those processes. XYGATE /PC can be configured to allow a nonprivileged userid to STOP, DEBUG, ALTPRI, SUSPEND, and ACTIVATE any other user s running process. Additional keyword-based controls can be placed in the PCACL file to qualify processes by name, owner, hometerm, cpu, and object file name. Unlike the TACL process control commands, XYGATE /PC allows users to manipulate processes using wildcard selection criteria. Enables management of NonStop server security via a familiar and friendly Windows interface, streamlining administration for Safeguard global settings, users and aliases as well as object ACLs. This product is simple to use yet versatile, to meet such security administrator needs as research by object or subject, changes to be applied to a single NonStop node or over many nodes at once. XYGATE /SM s form based screens allow the security manager to focus on What needs to be done, rather than How to do it. Bypasses the arcane and cumbersome syntax, the lack of formatting options and the inflexibility of traditional reporting tools. XYGATE /SR streamlines security audit reporting for Safeguard activity with flexibility and ease. This product provides a full range of pre-formatted reports containing just the information you need. And you can select the content of those reports in a user-friendly check this box fashion. Lets you manage the attributes of NonStop server print jobs and control your spooler via a single utility. XYGATE /SP also provides Archive and Compare capabilities. Access is based on job function, without the need to use a SUPER userid (a)(1) Access Control (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) Integrity (d) Person or Entity Authentication (a)(1) Access Control (e) --Transmission Security Page 11

16 APPENDIX A: EXCERPTS FROM HIPAA SECURITY STANDARDS: GENERAL RULES. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered Entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risk to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in , , , , and with respect to all electronic protected health information. (d) Implementation specifications. In this subpart: (1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification. (2) When a standard adopted in , , , , or includes required implementation specifications, a covered entity must implement the implementation specifications. (3) When a standard adopted in , , , , or includes addressable implementation specifications, a covered entity must-- (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or Page 13

17 (B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. (e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at ADMINISTRATIVE SAFEGUARDS (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (R) [REQUIRED] - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (R) [REQUIRED] - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (R) [REQUIRED] - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) (R) [REQUIRED] Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). (A) [ADDRESSABLE] Security Reminders. Implement periodic security updates. (A) [ADDRESSABLE] Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. (A) [ADDRESSABLE] Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. (A) [ADDRESSABLE] Password Management. Implement procedures for creating, changing, and safeguarding passwords TECHNICAL SAFEGUARDS Page 14

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining

WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with

7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance

Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,

GoToAssist emote Support HIPAA compliance guide Privacy, productivity and remote support 2 The healthcare industry has benefited greatly from the ability to receive remote support from technology providers

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in